Back to Control Explorer



Control Acronym



Incident Response

CMMC Level


800-171 Control #


CMMC Description

Develop and implement responses to declared incidents according to pre-defined procedures.

CMMC Clarification

Write procedures ahead of time to use when responding to incidents. These procedures will help guide the development and implementation of responses during an incident. Responses should prevent or contain the impact of an incident while it is occurring or shortly after. The type of response will vary depending on the incident. Response actions might include: * stopping or containing the damage (e.g., by taking hardware or systems offline) * communicating to users (e.g., avoid opening a specific type of email message) * communicating to stakeholders (e.g., corporate management) * implementing controls (e.g., updating access control lists). Example You are in charge of IT operations for your company. In this role, you manage all declared incidents. You have procedures in place for handling different types of declared incidents. For example, when you identify a phishing email incident, you have a process in place. You notify your company about the suspicious email and what to do when you receive it.

800-171 Description

800-171 Discussion


Other Source Discussion

CERT RMM V1.2 Responding to an organizational incident is often dependent on proper advance planning by the organization in establishing, defining, and staffing an incident management capability. Responding to an incident describes the actions the organization takes to prevent or contain the impact of an incident on the organization while it is occurring or shortly after it has occurred. The range, scope, and breadth of the organizational response will vary widely depending on the nature of the incident. Incident response may be as simple as notifying users to avoid opening a specific type of email message or as complicated as having to implement service continuity plans that require relocation of services and operations to an off-site provider. The broad range of potential incidents requires the organization to have a broad range of capability in incident response.

CIS Control References

CIS Controls v7.1 19.1

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 IR-4

CMMC Derived

NIST CSF Control References

NIST 800-171 References

Applicable FAR Clause

NIST CSF Control Reference


CERT RMM Reference


Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference


Assessment Sub-Criteria 1

IR.2.096.[a] the organization has an incident declaration process; and

Assessment Sub-Criteria 2

IR.2.096.[b] the organization has predefined procedures that address incident response activities.

Assessment Sub-Criteria 3

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15